Check-in [369965b608]
Overview
Comment:Added more notes to doc file.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | tls-1.8
Files: files | file ages | folders
SHA3-256: 369965b608426682bb5d6bd76ba3fc359bfd4ba979100066141fd01967d24aec
User & Date: bohagan on 2024-06-23 00:51:49
Other Links: branch diff | manifest | tags
Context
2024-06-23
01:39
Undo change in OpenSSL 1.1.1 which enabled SSL_MODE_AUTO_RETRY. This will avoid hangs in blocking mode after an non-app record is received, but an app record is not yet available. Also enabled SSL_MODE_ENABLE_PARTIAL_WRITE, which allows writes with fewer than all records written to be successful. check-in: 991ab74cdd user: bohagan tags: tls-1.8
00:51
Added more notes to doc file. check-in: 369965b608 user: bohagan tags: tls-1.8
2024-06-20
01:01
Added support for setting the certificate store check-in: 1cabc3b8f2 user: bohagan tags: tls-1.8
Changes

Modified doc/tls.html from [6b223dd015] to [4577570d14].

184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

206
207

208
209


210
211


212
213
214
215
216
217
218
	    is set to true, then <strong>-request</strong> must also be set to true
	    and a either a -cadir, -cafile, or platform default must be provided in
	    order to validate against. (default is <em>false</em>)</dd>
	<dt><strong>-security_level</strong> <em>integer</em></dt>
	<dd>Specifies the security level (value from 0 to 5). The security level
	    affects the cipher suite encryption algorithms, supported ECC curves,
	    supported signature algorithms, DH parameter sizes, certificate key
	    sizes and signature algorithms. The default is 1. Level 3 and higher
	    disable support for session tickets and only accept cipher suites that
	    provide forward secrecy.</dd>
	<dt><strong>-server</strong> <em>bool</em></dt>
	<dd>Specifies whether to act as a server and respond with a server
	    handshake when a client connects and provides a client handshake.
	    (default is <em>false</em>)</dd>
	<dt><strong>-servername</strong> <em>host</em></dt>
	<dd>Specify server's hostname. This is used to set the TLS Server Name
	    Indication (SNI) extension. Set this to the expected servername in the
	   server's certificate or one of the subjectAltName alternates.</dd>
	<dt><strong>-session_id</strong> <em>string</em></dt>
	<dd>Specifies the session id to resume session.</dd>
	<dt><strong>-ssl2</strong> <em>bool</em></dt>
	<dd>Enable use of SSL v2. (default is <em>false</em>)</dd>

	<dt><strong>-ssl3 </strong><em>bool</em></dt>
	<dd>Enable use of SSL v3. (default is <em>false</em>)</dd>

	<dt>-<strong>tls1</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1. (default is <em>true</em>)</dd>


	<dt>-<strong>tls1.1</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.1 (default is <em>true</em>)</dd>


	<dt>-<strong>tls1.2</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.2 (default is <em>true</em>)</dd>
	<dt>-<strong>tls1.3</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.3 (default is <em>true</em>)</dd>
	<dt><strong>-validatecommand</strong> <em>callback</em></dt>
	<dd>Specifies the callback command to invoke to validate protocol
	    config parameters during the protocol negotiation phase. This can be







|
|
|











|
>

|
>

|
>
>

|
>
>







184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
	    is set to true, then <strong>-request</strong> must also be set to true
	    and a either a -cadir, -cafile, or platform default must be provided in
	    order to validate against. (default is <em>false</em>)</dd>
	<dt><strong>-security_level</strong> <em>integer</em></dt>
	<dd>Specifies the security level (value from 0 to 5). The security level
	    affects the cipher suite encryption algorithms, supported ECC curves,
	    supported signature algorithms, DH parameter sizes, certificate key
	    sizes and signature algorithms. The default is 1 prior to OpenSSL 3.2
	    and 2 thereafter. Level 3 and higher disable support for session
	    tickets and only accept cipher suites that provide forward secrecy.</dd>
	<dt><strong>-server</strong> <em>bool</em></dt>
	<dd>Specifies whether to act as a server and respond with a server
	    handshake when a client connects and provides a client handshake.
	    (default is <em>false</em>)</dd>
	<dt><strong>-servername</strong> <em>host</em></dt>
	<dd>Specify server's hostname. This is used to set the TLS Server Name
	    Indication (SNI) extension. Set this to the expected servername in the
	   server's certificate or one of the subjectAltName alternates.</dd>
	<dt><strong>-session_id</strong> <em>string</em></dt>
	<dd>Specifies the session id to resume session.</dd>
	<dt><strong>-ssl2</strong> <em>bool</em></dt>
	<dd>Enable use of SSL v2. (default is <em>false</em>).
	Note: Recent versions of OpenSSL don't support SSLv2.</dd>
	<dt><strong>-ssl3 </strong><em>bool</em></dt>
	<dd>Enable use of SSL v3. (default is <em>false</em>).
	Note: SSL v3 must also be enabled with a compile time option.</dd>
	<dt>-<strong>tls1</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1. (default is <em>true</em>).
	Note: TLS 1.0 needs SHA1 to operate, which is only available in
	security level 0 for Open SSL 3.0+.</dd>
	<dt>-<strong>tls1.1</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.1 (default is <em>true</em>).
	Note: TLS 1.1 needs SHA1 to operate, which is only available in
	security level 0 for Open SSL 3.0+.</dd>
	<dt>-<strong>tls1.2</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.2 (default is <em>true</em>)</dd>
	<dt>-<strong>tls1.3</strong> <em>bool</em></dt>
	<dd>Enable use of TLS v1.3 (default is <em>true</em>)</dd>
	<dt><strong>-validatecommand</strong> <em>callback</em></dt>
	<dd>Specifies the callback command to invoke to validate protocol
	    config parameters during the protocol negotiation phase. This can be